Re: svgalib/zgv

[dhg () DEC NET (Dave G.)]

> zgv/svgalib "vulnerability" ?
>
> hello,
>
> i dont really see where the problem with zgv/svgalib is.
>
> There is obviously a buffer overflow with the $HOME
> environment variable, but all my attemps to exploit
> this failed: svgalib had well dropped root perms
> (see below). Any idea ?
> (i'm using Redhat 3.0.3, 4.0.0, svgalib 1.2.9)
>
> > From vga_init():
>      ...
>      seteuid(getuid());
>      setgid(getegid());
>      ...

The problem with changing the effective user id is that on systems with
saved user ids, one can change the effective user id back to the saved
user id.

The test code at the bottom of this message illustrates this.

> Sample try:
>
> [devel@plaguez]$ uname -a
> Linux plaguez 2.0.30 #7 Sat Jun 21 09:35:21 MET 1997 i486
> [devel@plaguez]$ ls -al /usr/bin/zgv
> -r-s--x--x   1 root     root        87780 Feb 26  1996 /usr/bin/zgv
> [devel@plaguez]$ ./overflow HOME 1124 0 /usr/bin/zgv
> bash$

In your shellcode, try adding a setreuid(-1, 0) before you exec the shell.


--- begin test code --
/*
 * compile this, make it setuid root and run it as an ordinary user.
 *
 * Dave G.
 * <dhg () dec net>
 */

#include <stdio.h>
#include <unistd.h>

void main()
{
   fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid());
   seteuid(getuid());
   fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid());
   seteuid(0);
   fprintf(stdout,"real: %d\t Eff: %d\n", getuid(), geteuid());
}


---                                                                ---
David Goldsmith                                            dhg () dec net
DEC Consulting                                      http://www.dec.net
Software Development/Internet Security
KSR[T]